Skip to content

Skill: recon-target

Rendered verbatim from apps/mcp-server/skills/recon-target/SKILL.md — this is exactly what the agent runs on.

Recon a target

A "target" is a program (optionally narrowed to a scope). Assets attach to a program through its scopes.

Order of operations

  1. Find the target. list_programs (filter by search/platformName) to get the programId. Skip if you already have it.
  2. Map it cheaply. get_target_overview with the programId — returns program metadata, scopes, and per-type asset counts. Read the counts before pulling rows.
  3. Drill in, paged. Use the counts to decide what to pull. Every list tool takes programId (and optional scopeId/platformName) plus page/limit. Never pull thousands of rows blindly — page and filter.

What each asset type tells you

  • list_http_pathsrichest signal. Each row has statusCode, length, tool, and the path value. Filter to a domain with domainId. Live 200s / unusual lengths are your first hunting ground.
  • list_ports — open ports with service (http/https/null). Use ipAddressId to focus one host.
  • list_domains / list_ip_addresses — the surface; join domains→IPs→ports→paths.
  • list_technologies (+ get_http_path_technologies / get_port_technologies) — fingerprints; pivot to known-vuln tech.
  • list_mobiles / list_wildcards / list_cidrs — mobile apps and scope boundaries.

Discipline

  • Respect scope: only assets under the target's scopes are in-bounds.
  • Prefer updatedAfter to focus on recently-changed assets when re-checking a target.
  • If you need the full picture, page each type rather than requesting huge limits.

Next: to go beyond what's already scanned, author a scan workflow →.